8 Answers
8

Actually, it's very easy to do damage to the network once you have 51%; just build your own chain faster than the network, and broadcast it whenever you like. If you send some of your coins to a new address in your own chain, all the transactions issued in the live network by spending those same coins will be reversed at the moment the longer chain is broadcast.

Right from the bitcoin wiki (probably proof-read by many pairs of eyes) :

An attacker that controls more than 50% of the network's computing
power can, for the time that he is in control, exclude and modify the
ordering of transactions. This allows him to:

Reverse transactions that he sends while he's in control

Prevent some or all transactions from gaining any confirmations

Prevent some or all other generators from getting any generations

The attacker can't:

Reverse other people's transactions

Prevent transactions from being sent at all (they'll show as 0/unconfirmed)

Change the number of coins generated per block

Create coins out of thin air

Send coins that never belonged to him

It's much more difficult to change historical blocks, and it becomes
exponentially more difficult the further back you go. As above,
changing historical blocks only allows you to exclude and change the
ordering of transactions. It's impossible to change blocks created
before the last checkpoint.

Since this attack doesn't permit all that much power over the network,
it is expected that no one will attempt it. A profit-seeking person
will always gain more by just following the rules, and even someone
trying to destroy the system will probably find other attacks more
attractive. However, if this attack is successfully executed, it will
be difficult or impossible to "untangle" the mess created — any
changes the attacker makes might become permanent.

from the documentation: The client accepts the 'longest' chain of blocks as valid. The 'length' of the entire block chain refers to the chain with the most combined difficulty, not the one with the most blocks. This prevents someone from forking the chain and creating a large number of low-difficulty blocks, and having it accepted by the network as 'longest'.
– Ilya SaunkinNov 12 '13 at 7:30

how would an attacker change an historic block ?
– eran otzapJun 5 '18 at 21:01

1

@IlyaSaunkin, how would an attacker create a low-difficulty block? Wouldn't he still have to find the random nonce in every block in order to be approved by everyone once the fork is merged back?
– Joe MBJun 13 '18 at 3:19

In theory, this attacker owns enough computing power that they could execute a "double spend" attack. They could spend coins in one place, allow the coins to enter the block chain as normal until the required confirmations are met, then fire up their 51% of the miners to craft a fraudulent fork of the block chain in which those coins were never spent, allowing them to re-spend the coins. This could theoretically be repeated for as long as the attacker maintained control of 51% or more of the hashrate.

Realistically, 51% is only the point at which this becomes possible not the point at which it becomes likely or easy. An attacker would probably need something like 65% to actually execute such an attack.

Could you clarify if that 65% figure is a made up number of based on something? I'm guessing there might be some curve that could plot the liklihood of succeeding vs. the percentage of the hashing power owned, but I don't know the details well enough to be sure...
– Michael McGowanSep 6 '11 at 18:24

Will waiting for more confirmations decrease the chance of a successful double spend if an attacker consistently has 51% for a week?
– ripper234Sep 6 '11 at 18:25

3

The 65% is a made up number, little more than a semi-educated guess. If anyone has actual math to share I'd be happy to modify my answer to include it. As for waiting on confirmations, it will help but only so much. 51% or higher bestows some chance of forging a block on the attacker. If the attacker had 100% for a week they could undo a week's worth of blocks in that time. 51% would probably only let a thief undo a small handful of blocks if that much - again if anyone has the math to back this up, please post it.
– David PerrySep 6 '11 at 18:38

12

51% would allow an attacker to undo as many blocks as they wanted and undo a transaction no matter how many confirmations it has. They simply commit the transaction they wish to undo into the public block chain and a conflicting transaction into their private block chain. They then wait until as many confirmations as needed. They then wait until their private block chain is longer than the public blockchain, which it will eventually be with higher and higher probability. As soon as their chain is longer, they announce it, and their chain wins.
– David SchwartzSep 6 '11 at 21:29

And then there is the denial of service possibility of suddenly withdrawing from the service, taking the necessary computing resources away to continue to solve blocks every ten minutes until the difficulty is adjusted down again (which could take a long time if there is only a block every day for example).

if hashes are created every 10 minutes, and 51% leaves the network then hashes are created about every 20.4 minutes, so this answer is wrong (or assumes a lot more than 51% and thus doesn't answer the question)
– Artem KaznatcheevSep 8 '11 at 2:49

2

@Artem: Yes, I was trying to convey that in the last sentence. Sorry if that was unclear. I'll move the answer over to the question "What can an attacker with 95% of hash power do?" once it is asked ;-)
– ThiloSep 8 '11 at 2:55

Anyone who owns 51% of the network will have made a massive investment in hardware and systems to organize and construct a machine capable of executing such an attack. If their motive is profit, then the short term gain associated with forking the block chain to enable 'double spend' will net them a negligible benefit; it's difficult to imagine they would pursue this strategy on the basis that the resulting instability will ultimately de-value the very coins they seek to 'spend twice'. If their motive is to destroy Bitcoin, period, that is another matter altogether. That kind of techno-vandalism could only reasonably be motivated by someone with destruction and disruption serving as their primary motivation.

Instead, I posit it's much more likely that such a massive and powerful compute resource (Bitcoin supercomputer) will be used to power the vast bulk of the network within the bounds of its intended use, profiting long term from generation rewards and transaction fees, as the network grows and prospers over time.

"will have made a massive investment in hardware and systems": based on this and following, you kind of imply that attacker would need to put massive amounts of, ahem, real-world money and resources into that. That doesn't have to be true: 1) attacker can use inflated value of pre-mined virtual currency; 2) fraudulent technical engineering (e.g. automatically built botnet); 3) social engineering, like inviting minority users to participate in "mining pools", essentially incentivizing users to willingly be put in adhoc botnets orchestrated by pool owner(s).
– pfalconDec 7 '13 at 5:44

The answers so far focus on the algorithm itself, I have a few social economic thoughts to add.

Let's assume Bitcoin is massively popular and indeed becomes THE global go-to currency, at this point this and similar questions become (very) relevant.

What happens in maturing industries is that through commoditization and mergers smaller and smaller numbers of players remain. Through scale advantages this small number of players will be able to provide services at lower cost and squeeze out smaller players. I see little reason the industry of Bitcoin transaction processing will be exempt from this general rule.

Next, we cannot foresee every aspect of the future, even though the Bitcoin designers did a terrific job there will be situations that will call for changes to the system. For example there might be a call from the people to stop child porn networks, to stop capital shelters for the rich, to stop overly profitable and powerful corporations,... etcetera, you name it. Whether justified or not, the people will demand for changes, not necessarily a villain government individual, the people.

Since there is only a small number of players it is actually possible to regulate the industry. For example the regulation could be that only payments with a traceable account number will be processed, or only payments with attached fees that include a portion for tax.

I would think the government could even demand changes to the core of the algorithm. Preventing, for example, "non-certified" players to enter, thereby further establishing the power of the existing payment processors.

The newly elected monopolists will then, in the final phase of capitalism self-destruction slowly but steadily raise their processing prices, eventually driving customers away and causing the Bitcoin to never reach the deflationary status many proponents and early investors claim it will have.

And let's just hope it ends this way, a forking scenario from this could be that the Bitcoin reaches "too big to fail" status, and the people demand further regulation (of processing fees, mining speed caps, etc). We will all keep paying a premium on the existence of the currency, just for the sake of stability and the fear for disruption of the status quo. Just like with today's currencies.

I'm not trying to be skeptical, I'm actually very hopeful the crypto currencies are going to help with globalization and advance humanity. As a deflationary currency to "easily" save for your (early) retirement I am not so sure. As a transaction system probably in some way.

Maybe we don't actually need a "currency" maybe all we need is a transaction. Maybe there can be a super layer on top of multiple competing crypto currencies that quickly and automatically switches your money back and forth between the best suitable mix of currencies and investment funds. After all what you really care about is how your salary is exchanged into goods and future promises.

Since the various governments would likely have differing interests, it seems unlikely that any one government could demand anything from the Bitcoin project.
– Murch♦Dec 19 '15 at 0:19

@Murch: given that miners are heavily located in few countries, a handful of governments could agree on hijacking a majority of hashpower, thus changing the rules as they see fit (eg. imposing part of the transaction fee to go into tax)
– PPCAug 11 '17 at 9:20

Miner centralization is indeed a big concern, although they could only impose this on the companies in their jurisdiction and probably not on the network itself. Likely, the network would answer with a proof of work algorithm change if this turned into a major impediment for transaction traffic.
– Murch♦Aug 11 '17 at 20:00

It is presumed in this scenario that this group of corporations has, and can maintain, 51% of hash power of the entire network. Globalization of this scale doesn't exist and I don't think will ever be viable
– user60758Sep 28 '17 at 20:09

Right. If you mine more than half of the blocks, you can prevent anyone else from mining. Eventually, the difficulty will go down, and you'll be mining a block every ten minutes.
– Nick ODellJun 24 '15 at 7:26

You should consider adding a quote of the link you're giving: link answers are annoying and poor quality
– PPCAug 11 '17 at 9:23

I think a hypothetical 51% attack, needs some preconditions to be actually launched. I mean there will be 'signs' before the actual launching. ASIC chips production and distribution statistics, business news and evidences, will generate alarms and precautions. It is not a pure mathematical subject and should be considered as a socioeconomic threat. When alarms are triggered, players will participate in preventive protocols more willingly and a lot of a such preventing protocols will be presented. I personally do not take this attack as serious threat.

A 51% percent attack would simply destroy the currency, and anyone holding a short position would make 100% profit. So there is a strong financial incentive for this attack and it has happened many times.

It has never been exploited on bitcoin.
– Raghav SoodOct 23 '18 at 6:10

Why is this answer downvoted? It is absolutely true with the creation of BTC futures. To @RaghavSood, futures exchanges (major ones) have only been around about a year (not counting Bitmex). If the current futures exchanges had been around since bitcoin was born in 2009, then I'd bet for sure that the exploit will have been considered and probably even attempted.
– nanonerdJan 3 at 3:27

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).